1cafaf8cce
This change adds the option `security_sudoers_nopasswd_check_enable` when running check "V-71947". This change allows users to skip this check via ansible extra variable instead of having to skip tags. While this change has a functional benifit in some environments, it is being done with the primary intention of providing a better experience to deploying running clouds where services like cloud-init may be present. Change-Id: I0d0c95534ace0b00fa64c2f243ad91ce5844d85a Closes-Bug: #1741225 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
19 lines
614 B
ReStructuredText
19 lines
614 B
ReStructuredText
---
|
|
id: V-71947
|
|
status: exception - manual intervention
|
|
tag: auth
|
|
---
|
|
|
|
The STIG requires all users to authenticate when using ``sudo``, but this
|
|
change can be highly disruptive for automated scripts or applications that
|
|
cannot perform interactive authentication. Automated edits from Ansible tasks
|
|
might cause authentication disruptions on some hosts, and deployers are urged
|
|
to carefully review each use of the ``NOPASSWD`` directive in their ``sudo``
|
|
configuration files.
|
|
|
|
Deployers can opt-out of this change by setting an Ansible variable:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_sudoers_nopasswd_check_enable: no
|